void sim_debug_output (const char *format,void *p,const char *file,const char *func,unsigned int line, ...){
va_list args;
int len,len1;
char tempbuf[TXT_BUF_SIZE];
char *buf;
char *pbuf = NULL;
if (ossim.log.level == G_LOG_LEVEL_DEBUG){
va_start (args, line);
len = snprintf (NULL,0,"%p:%s:%s:%u => ",p,file,func,line);
len1 =vsnprintf (NULL,0,format,args);
va_end (args);
if ((len+len1+2)<(TXT_BUF_SIZE)){
buf = tempbuf;
}else{
if (( pbuf = buf = malloc (len+len1+2)) == NULL){
g_warning ("Can't allocate memory to send log message\n");
abort ();
}
}
if (buf != NULL){
len = snprintf (buf,len+1,"%p:%s:%s:%u => ", p, file, func, line);
va_start (args,line);
len1 = vsnprintf (&buf[len],len1+1,format,args);
//g_message (">>>> len:%u len1:%u",len,len1);
//buf[len1+len] = '\0';
ossim_debug ("%s", buf);
}
if (pbuf)
free (pbuf);
va_end (args);
}
}
gchar*
sim_event_get_alarm_insert_clause (SimDatabase *db_ossim,
SimEvent *event,
gboolean removable)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp=time;
GString *query;
GdaConnection *conn;
gchar *e_alarm_stats = NULL;
g_return_val_if_fail (SIM_IS_EVENT (event), NULL);
conn = sim_database_get_conn (db_ossim);
if(event->time_str)
timestamp=event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
guint efr = event->priority * event->reliability * 2; //this is used for compliance. The "*2" is to take a percentage
if (event->alarm_stats)
e_alarm_stats = sim_str_escape (event->alarm_stats, conn, 0);
ossim_debug ( "%s: risk_c:%f, risk_a:%f", __func__, event->risk_c, event->risk_a);
query = g_string_new ("REPLACE INTO alarm "
"(event_id, backlog_id, corr_engine_ctx, timestamp, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"risk, efr, similar, removable, stats) VALUES (");
g_string_append_printf (query, "%s", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->backlog_id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_engine_get_id (event->engine)));
g_string_append_printf (query, ",'%s'", timestamp);
g_string_append_printf (query, ",%d", event->plugin_id);
g_string_append_printf (query, ",%d", event->plugin_sid);
g_string_append_printf (query, ",%d", event->protocol);
g_string_append_printf (query, ",%s", (event->src_ia) ? sim_inet_get_db_string (event->src_ia) : "NULL");
g_string_append_printf (query, ",%s", (event->dst_ia) ? sim_inet_get_db_string (event->dst_ia) : "NULL");
g_string_append_printf (query, ",%d", event->src_port);
g_string_append_printf (query, ",%d", event->dst_port);
g_string_append_printf (query, ",%d", ((gint)event->risk_a > (gint)event->risk_c) ? (gint)event->risk_a : (gint)event->risk_c);
g_string_append_printf (query, ",%u", efr);
g_string_append_printf (query, ",IF('%s'<>''", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : ""));
g_string_append_printf (query, ",'%s'", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : ""));
g_string_append_printf (query, ",SHA1('%s'))", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%d", removable);
g_string_append_printf (query, ",'%s')", e_alarm_stats ? e_alarm_stats : "");
g_free (e_alarm_stats);
return g_string_free (query, FALSE);
}
/**
* sim_db_update_backlog:
* @database: a #SimDatabase
* @backlog: a #SimDirective
*
* Updates @backlog in @databse
*/
void
sim_db_update_backlog (SimDatabase *database,
SimDirective *backlog)
{
gchar *query = NULL;
query = sim_directive_backlog_get_update_clause (backlog);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
gboolean
sim_event_set_sid (SimEvent *event)
{
gchar *device_ip;
gchar *sensor_device;
guint sid;
g_return_val_if_fail (SIM_IS_EVENT (event), FALSE);
ossim_debug ("%s: Setting (sid) for event->id=%s", __func__, sim_uuid_get_string (event->id));
if (event->device)
{
device_ip = sim_inet_get_canonical_name (event->device);
sensor_device = g_strdup_printf ("%s/%s/%s", sim_uuid_get_string (event->sensor_id), event->interface, device_ip);
g_free (device_ip);
}
else
sensor_device = g_strdup_printf ("%s", sim_uuid_get_string (event->sensor_id));
sid = sim_container_get_sensor_sid (ossim.container, sensor_device);
if (!sid) // First event for this sid, so we must insert the sensor to the database
{
// Insert it to db as the old way (but now it's cached).
sid = sim_organizer_snort_sensor_get_sid (ossim.dbsnort, event->sensor_id, event);
sim_container_add_sensor_sid (ossim.container, sensor_device, sid);
ossim_debug ("%s: not from cache: sid: %u", __func__, sid);
}
else
{
ossim_debug ("%s: from cache: sid: %u", __func__, sid);
g_free (sensor_device);
}
event->device_id = sid;
return TRUE;
}
/**
* sim_db_insert_backlog:
* @database: a #SimDatabase
* @backlog: a #SimDirective
*
* Insert @backlog in @database
*/
void
sim_db_insert_backlog (SimDatabase *database,
SimDirective *backlog)
{
gchar *query = NULL;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_DIRECTIVE (backlog));
query = sim_directive_backlog_get_insert_clause (backlog);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
/**
* sim_db_insert_dummy_backlog_event:
* @database: a #SimDatabase
* @event: a #SimEvent
*
*/
void
sim_db_insert_dummy_backlog_event (SimDatabase *database,
SimEvent *event)
{
gchar *query, *values;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
values = sim_directive_dummy_backlog_event_get_values_clause (event);
query = g_strdup_printf("INSERT INTO backlog_event VALUES %s", values);
ossim_debug ("%s: query = %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (values);
g_free (query);
}
SimEvent *
sim_event_new (void)
{
SimEvent *event;
GString *st;
gint i;
event = g_slice_new0 (SimEvent);
sim_event_init (event);
st = g_string_new ("");
for (i = 0; i < N_TEXT_FIELDS; i++)
{
g_string_append_printf (st, "%s%s", sim_text_field_get_name (i), (i != (N_TEXT_FIELDS - 1)) ? "," : "");
}
event->sql_text_fields = g_string_free (st, FALSE);
ossim_debug ("sim_event_instance_init");
event->signature = 0xdeadbeef;
event->type = SIM_EVENT_TYPE_NONE;
event->log = NULL;
//The agent should always write a date/time field in the events, so it's not necesary to initialize time, time_str, diff_time and tzone
//
event->protocol = SIM_PROTOCOL_TYPE_NONE;
event->condition = SIM_CONDITION_TYPE_NONE;
event->asset_src = VOID_ASSET;
event->asset_dst = VOID_ASSET;
event->store_in_DB = TRUE; //we want to store everything by default
event->can_delete= FALSE; // It has to be processed by 2 threads before destruction
event->is_correlated = FALSE; //local mode
event->correlation = EVENT_MATCH_NOTHING;
event->belongs_to_alarm = FALSE; //this is send across network
event->policy= NULL; //DON'T release memory for this variable!!!! (the data inside belongs to Container)
event->context = NULL;
event->engine = NULL;
return event;
}
/**
* sim_db_insert_host_mac:
*
* Insert 'host mac' event in @databse
*/
void
sim_db_insert_host_mac (SimDatabase *database,
SimInet *inet,
gchar *date,
gchar *mac,
gchar *vendor,
gchar *interface,
SimInet *sensor,
SimUuid *context_id)
{
gchar *query;
gchar *vendor_esc;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_INET (inet));
g_return_if_fail (date);
g_return_if_fail (mac);
g_return_if_fail (interface);
g_return_if_fail (sensor);
// we want to insert only the hosts defined in Policy->hosts or inside a network from policy->networks
// if((sim_container_get_host_by_ia(container,ia) == NULL) && (sim_container_get_nets_has_ia(container,ia) == NULL))
// return;
vendor_esc = g_strescape (vendor, NULL);
query = g_strdup_printf ("INSERT INTO host_mac (id, ctx, sensor, date, mac, vendor, interface) "
"SELECT id, %s, %s, '%s', '%s', '%s', '%s' FROM host WHERE ip = %s and ctx = %s LIMIT 1",
sim_uuid_get_db_string (context_id),
sensor ? sim_inet_get_db_string (sensor) : "NULL",
date,
mac,
(vendor_esc) ? vendor_esc : "",
interface,
sim_inet_get_db_string (inet),
sim_uuid_get_db_string (context_id));
g_free (vendor_esc);
ossim_debug ("%s: query: %s", __func__, query);
sim_db_execute_query (database, query);
g_free (query);
}
/**
* sim_db_insert_backlog_event:
* @database: a #SimDatabase
* @backlog: a #SimDirective
* @event: a #SimEvent
*
* Insert @backlog @event in @databse
*/
void
sim_db_insert_backlog_event (SimDatabase *database,
SimDirective *backlog,
SimEvent *event,
gint level)
{
gchar *query;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_DIRECTIVE (backlog));
g_return_if_fail (SIM_IS_EVENT (event));
query = sim_directive_backlog_event_get_insert_clause (backlog, event, level);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
/**
* sim_db_insert_alarm:
* @database: #SimDatabase
* @event: event alarm
* @removable: if the alarm is removable or not (it'll be removable only if it's finished/reached timeout).
*
* This is usefull if the event has the "alarm" flag. This can occur for example if the event has
* priority&reliability very high and it has been converted automatically into an alarm. Also, this can occur
* if the event is a directive_event which has been re-inserted into container from sim_correlation.
*
* we also assign here an event->id (if it hasn't got anyone, like the first time the event arrives).
* event->id is just needed to know if that event belongs to a specific backlog_id (a directive), so if
* an event is not part of an alarm, it hasn't got any sense to fill event->id.
*
*/
void
sim_db_insert_alarm (SimDatabase *database,
SimEvent *event,
gboolean removable)
{
gchar *insert;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
ossim_debug ("%s with id %s", __func__, sim_uuid_get_string (event->id));
insert = sim_event_get_alarm_insert_clause (database, event, removable);
sim_database_execute_no_query (database, insert);
g_free (insert);
return;
}
/**
* sim_db_insert_event:
* @database: a #SimDatabase
* @event: a #SimEvent to insert
*
* This function gets an event-> id and insert the event into DB.
*/
void
sim_db_insert_event (SimDatabase *database,
SimEvent *event)
{
gchar *query = NULL;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
if (event->is_stored)
{
ossim_debug ("%s: Duplicate insert event->id: %s", __func__, sim_uuid_get_string (event->id));
return;
}
ossim_debug ("%s: Storing event->id = %s event->is_stored = %u", __func__,
sim_uuid_get_string (event->id), event->is_stored);
query = sim_event_get_insert_clause (event);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
if (event->src_username || event->dst_username)
{
query = sim_event_idm_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: idm_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (event->data || event->log || event->binary_data)
{
query = sim_event_extra_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: extra_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (g_hash_table_size (event->otx_data) > 0)
{
query = sim_event_pulses_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: otx_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
event->is_stored = TRUE;
}
void
sim_db_update_plugin_sid (SimDatabase *database,
SimDirective *directive,
SimUuid *uuid)
{
SimPluginSid *plugin_sid = NULL;
gchar *query;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_DIRECTIVE (directive));
g_return_if_fail (SIM_IS_UUID (uuid));
plugin_sid = sim_plugin_sid_new_from_data (SIM_PLUGIN_ID_DIRECTIVE,
sim_directive_get_id (directive),
1,
sim_directive_get_priority (directive),
sim_directive_get_name (directive));
query = sim_plugin_sid_get_insert_clause (plugin_sid, uuid);
ossim_debug ("%s: %s", __func__, query);
sim_database_execute_no_query (database, query);
g_object_unref (plugin_sid);
g_free (query);
}
static void
_sim_event_free (SimEvent *event)
{
ossim_debug ("%s: Id %s, Device_id %u", __func__,
sim_uuid_get_string (event->id), event->device_id);
if (event->id)
g_object_unref (event->id);
if (event->src_ia)
g_object_unref (event->src_ia);
if (event->dst_ia)
g_object_unref (event->dst_ia);
if (event->src_net)
g_object_unref (event->src_net);
if (event->dst_net)
g_object_unref (event->dst_net);
if (event->src_id)
g_object_unref (event->src_id);
if (event->dst_id)
g_object_unref (event->dst_id);
if (event->sensor)
g_object_unref (event->sensor);
if (event->sensor_id)
g_object_unref (event->sensor_id);
if (event->device)
g_object_unref (event->device);
g_free (event->interface);
g_free (event->server);
if (event->servername)
g_free (event->servername);
g_free (event->sql_text_fields);
g_free (event->value);
g_free (event->data);
if (event->role)
sim_role_unref (event->role);
if (event->policy)
g_object_unref (event->policy);
g_free (event->time_str);
if (event->log)
g_string_free (event->log, TRUE);
g_free (event->alarm_stats);
g_free (event->filename); //no needed to check, g_free will just return if "filename" is NULL
g_free (event->username);
g_free (event->password);
g_free (event->userdata1);
g_free (event->userdata2);
g_free (event->userdata3);
g_free (event->userdata4);
g_free (event->userdata5);
g_free (event->userdata6);
g_free (event->userdata7);
g_free (event->userdata8);
g_free (event->userdata9);
g_free (event->rulename);
if (event->src_username)
g_hash_table_unref (event->src_username);
g_free (event->src_username_raw);
if (event->dst_username)
g_hash_table_unref (event->dst_username);
g_free (event->dst_username_raw);
g_free (event->src_hostname);
g_free (event->dst_hostname);
g_free (event->src_mac);
g_free (event->dst_mac);
g_free (event->str_rep_act_src);
if(event->rep_act_src)
g_hash_table_unref (event->rep_act_src);
g_free (event->str_rep_act_dst);
if(event->rep_act_dst)
g_hash_table_unref (event->rep_act_dst);
g_free (event->buffer);
if (event->groupalarmsha1)
g_free (event->groupalarmsha1);
if (event->binary_data)
g_free (event->binary_data);
if (event->context)
g_object_unref (event->context);
if (event->engine)
g_object_unref (event->engine);
g_slice_free (SimEvent, event);
}
